Development and operations a practical guide
Equipment and Software Cost
Download 4.62 Mb. View original pdf
|
- Navigate this page:
- Pre- and Post-Engagement Cost
| Equipment and Software Cost Red Teams must maintain a common toolset ready to be leveraged on any engagement. The toolset can be comprised of both free and paid tools. This toolset can be further customized to meet the specific needs once an engagement has been scoped (or contracted if external. During many engagements, a target has an obscure piece of equipment, tool, or software within the target environment that requires a specialized hardware device or software interface. It is recommended that the target provides access to a reference system for Red Team use to reduce cost. If this option is not available, or the target decides that a goal is to understand how the Red Team obtains access, the additional overhead and cost maybe rolled into the overall engagement costs. Customization of tools, specialized software, or hardware must be identified early during scope planning to capture impact to scope. Travel Cost Travel cannot be forgotten during planning. Funds must be allocated if an engagement is conducted at a specific target site or other remote location. These funds must include lodging, flights, local transportation, per diem costs, and miscellaneous expenses. For US. based teams, following GSA travel and per diem rates can be a good starting point to set travel budgets. Many organizations will use these rates and optionally add a percentage as a benefit and incentive to lessen the stress and burden of travel. For instance, it can be common to use GSA rates x 1.25. This has been a successful method to provide operators a good rate to cover lodging, meals, and incidentals. Pre- and Post-Engagement Cost Inexperienced teams often fail to allocate time and funds for pre- and post-engagement (non-execution time) activities. Most engagements require some form of information or intelligence gathering (OSINT), and passive target reconnaissance before execution. They also need time for infrastructure preparation and, occasionally, custom tool development. They all require planning before execution and analysis and reporting following execution. Don't forget to account for these efforts in the planning and costing/budgeting process. This section does not cover every possible element required to appropriately budget, fund, or quote a Red Team engagement. It is written to prompt thought and discussion on the actual costs and expected line items of an engagement. Actual planning takes time and repetition to develop an effective process. |